CatIQ conference speakers discuss ‘cyber cats,’ Lac-Mgantic response

A malicious computer program reported to have interfered with uranium enrichment in Iran was a “game changer” in cyber security, but there is no historical data that actuaries could use to assess potential losses arising from “cyber cats” affecting industrial control systems, a computer science professor recently told insurance professionals.

Jose Fernandez, a professor at Montreal’s Ecole Polytechnique, was one speaker at the Canadian Catastrophe Conference, held Feb. 1-2 at the Toronto Board of Trade. Fernandez noted that “operational technology” is at risk of attacks from malicious code.

“The attack vectors are potentially the same” as for computer networks, he suggested, “but the consequences are not the same and the actors are not the same. Somebody who is infecting your machine, who wants to make a buck by using it to send spam is not going to be interested in the machine of an industrial control engineer more than any others.”

One example of a cyber security incident was Stuxnet, which Fernandez suggested was a “game changer.”

IEEE Spectrum magazine – published by the Institute of Electrical and Electronics Engineers – reports that Stuxnet is a computer worm discovered in June, 2010. It infected software at a uranium enrichment plant in Iran, by targeting machines running the Microsoft Windows operating system and then seeking software provided by Siemens AG that is used to program industrial control systems and operate equipment.

At the Canadian Catastrophe Conference, Fernandez said the centrifuges used to separate Uranium-235 from Uranium-238 in Iran would run at 14,000 rpm for days and weeks.

“They introduced some code in the hardware controllers that would have them spin at 14,000 rpm most of the time, and then a minute every hour they would slow down to maybe 13,000,” Fernandez said of the hackers. “Unless you were standing right next to it, you wouldn’t notice it. This change of speed was enough to remix the gases and they managed to essentially halt uranium production for about a year and a half, according to intelligence estimates.”

It is difficult for operational control experts to evaluate risk of a “cyber cat,” he added.

“There’s no historical data so there is no use asking your actuaries to look at the claims data,” he said. “We have this chicken and egg conundrum where there is no chicken and no egg.”

Another example of a cyber cat was accidental.

In August, 2013, a power outage affected large areas of Ontario and the Eastern United States, including New York City.

The root cause was a bug in control software that did not raise an alarm when it should have, Fernandez said.

“It fooled the human operator…to not make the right decision,” he said. “They didn’t see the alarm because there was no alarm.”

Canadian Catastrophe Conference was produced by Catastrophe Indices and Quantification Inc. (CatIQ), a sister company to MSA Research Inc. Fernandez spoke on a panel titled Preparing for Man-Made Catastrophes.

The other speaker was Paul Nony, senior toxicologist for Center for Toxicology and Environmental Health LLC – a Little Rock, Ark. based consulting firm.

CTEH was one contractor that responded in 2013 to Lac-Mégantic, Quebec, where a runway train hauling 72 crude oil tanker cars derailed, killing 47 and spilling about six million litres of contaminant into the environment.

Nony – who was not part of the CTEH team responding to Lac-Mégantic – noted that the wreckage was treated as a crime scene, with limited access.

“You have an investigation going on, you also have a chemical disaster, you have remediation that needs to start,” he said. “You have dozens of tank cards that have burned up, broken open, spilled their contents and what have you, that need to be moved out of there safely.”

Nony added that at Lac-Mégantic, there were “really high benzene concentrations, which created a very serious worker health and safety hazard and we had people responding.”

In order to work while wearing a respirator, a worker needs to have that respirator tested for proper fit and the worker needs to be medically cleared, he noted.

Nony showed the audience several photos, including some with wrecked DOT 111 tank cars.

“What we’ve been seeing with these crude oil derailments is this metal gets so hot, it starts to warp and at the end they just look like aluminum cans that someone came along and stepped on,” he said.

More coverage of the Canadian Catastrophe Conference

New IBC flood model shows 1.8 million Canadian households at ‘very high risk’

Five of Canada’s six weather catastrophes in 2015 were out west: CatIQ

New IBC flood model shows 1.8 million Canadian households at ‘very high risk’

Preparation key to helping reduce losses from catastrophes, improving claims experience

Offering incentives could help improve municipal risk management, Canadian Catastrophe Conference hears